Not sure I get your drift. I am talking about the problem in the OP, not about "me," and not about "preventing programs from doing X and Y" but rather about an agreement about what is legitimate and what is not, or as I said, one person's "'the only technique that will work' [a phrase one poster used] is someone else's 'criminal breach of security.'" Failing that, a formal affirmation of "we do X but we don't do Y."
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Edward Jaffe Sent: Thursday, March 08, 2012 7:15 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! On 3/8/2012 6:40 AM, Charles Mills wrote: > From a non-technology point of view, we need some sort of industry > agreement on what is good behavior in an authorized program. I am > thinking of something like a standardized set of questions that a > vendor could answer and have an officer certify: "Mr./Ms. Customer, we > are asking for APF authorization. I certify under penalty of fraud > that our program uses APF authorization to do X, and Y, and Z but does not do A, and B, and C." You have no integrity statement?? Wow! You might consider drafting one... Here is IBM's you can use as a template: http://www.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.ht ml -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN